BIND dnssec issue

Mahdi Adnan mahdi.adnan at outlook.com
Mon Nov 7 06:00:43 UTC 2016 

Thank you for your response.


Date is correct in all servers as well as RRSIG.

Mon Nov  7 08:56:03 AST 2016
Mon Nov  7 05:56:03 UTC 2016



; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +cd +dnssec dnskey +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2882
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 475207 IN NS e.root-servers.net.
. 475207 IN NS l.root-servers.net.
. 475207 IN NS f.root-servers.net.
. 475207 IN NS c.root-servers.net.
. 475207 IN NS d.root-servers.net.
. 475207 IN NS j.root-servers.net.
. 475207 IN NS g.root-servers.net.
. 475207 IN NS i.root-servers.net.
. 475207 IN NS h.root-servers.net.
. 475207 IN NS a.root-servers.net.
. 475207 IN NS b.root-servers.net.
. 475207 IN NS m.root-servers.net.
. 475207 IN NS k.root-servers.net.
. 518400 IN RRSIG NS 8 0 518400 (
20161120050000 20161107040000 39291 .
eKuJRWssJm+Qy4q+R+bKAIfSkxsDSl3y1S8ib/BC6i1c
Uxd36YM/lRLTOvqcjiZu18lsgSC7cpmiyNkQ4ibbqe5z
sgOXAdhXhmeqK8Bo3x3kP8VHWzbU6MOkN+O+LHOFXgx1
BUlo83LKqsJVMw/mYTLo0RguMGS5L7lLgDSbMUe0ow78
vg0MdIJo90AeEga084UIF9swAi3JZt5ds+82xkbhmmYT
RrsUknd763IUS04z8lEo60bAlMD3huGboa8Dtagd6lXC
NKXvCbQYQJu6hwMwxC5Kdmj0+cYn7PJJqye7XCSSipUo
Uxa1j/P+TTPmZSR4z6/YmNoM6ynmo2P4mw== )

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 07 08:57:33 AST 2016
;; MSG SIZE  rcvd: 525




as for the messages, i only got these messages during the period of 4 minutes from 10:00 PM to 10:04 PM.


--

Respectfully
Mahdi A. Mahdi

________________________________
From: Mark Andrews <marka at isc.org>
Sent: Monday, November 7, 2016 12:17:21 AM
To: Mahdi Adnan
Cc: bind-users at lists.isc.org
Subject: Re: BIND dnssec issue


First check your system clocks and make sure they are correct.

'date -u' will show the time in UTC.

Here in Australia we are 11 hours in front of UTC so
where I run 'date; date -u' I get:

Mon  7 Nov 2016 07:42:33 EST
Sun  6 Nov 2016 20:42:33 UTC

'dig +cd +dnssec' will let you see the RRSIG inception and expiration
times. They are in UTC.  Below the RRsig expires at 20161114235959
and it was create at 20161031000000.

;; BADCOOKIE, retrying.

; <<>> DiG 9.11.0 <<>> +cd +dnssec dnskey . +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43548
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: c393bcde3d692889e9f12574581f9746ca751f3f49a0a1aa (good)
;; QUESTION SECTION:
;.                      IN DNSKEY

;; ANSWER SECTION:
.                       171135 IN DNSKEY 256 3 8 (
                                AwEAAYbinauHA9oUb4aGNtJIrepyGoYy0OL01rvIhvo3
                                RWN/Ch8p2C4ZEkpvUYkx74r9JpgrOsjKOv+JQdKtT2u8
                                AxGjUoH8x8HdpDiMV7XnpWJo9wAxlFtDtbMnPwRQ3dWs
                                T1p5myrGcm7EFJ9j7KmiAEG5hGsevZqcnqMOW9QFkmp/
                                zM0TFYXYWq6AsAof2uZqLUyd+nHIW0TGsaHMzcTNfA8W
                                w+OYV7R4bcR/8edCEo6OAh9j48R1hRtuO1e2MQdnkITc
                                9DJljB4Cq1gQKwv/ku7mAvmFuWkRotMZIFN3vDhpmpmy
                                7M0C1EHSRAgP+HkblLRQKOPnwI/VksJEU4fmnhk=
                                ) ; ZSK; alg = RSASHA256 ; key id = 39291
.                       171135 IN DNSKEY 257 3 8 (
                                AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
                                bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
                                /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
                                JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
                                oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
                                LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
                                Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
                                LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
                                ) ; KSK; alg = RSASHA256 ; key id = 19036
.                       171135 IN RRSIG DNSKEY 8 0 172800 (
                                20161114235959 20161031000000 19036 .
                                LPuldf5oWFdSHSTPYL5WvrvwJTElxY6LTEw2Cit0JOcV
                                AbZG6LLCmlpCJ55Ngf/sdE4UXUPJ/m6CFRYT+aAePvEW
                                rjRPGGX64V82oCeCPyAqD4XHd3CIQi3LBYk8ZbEktyvB
                                X+VS16rbSEQib7xNYvohtiJ0dRiw/wjr6YVF8xUdYO1v
                                vXPYOGXISYwW4vDiKAuyLDGuoLRh/F9GZQxBPwv6Bmx8
                                /JfNCfIygbnZ/8qIZUsFH68DPbAHPBqwR1GP+haAa6vQ
                                PhXwn4p+Vci7rYNzfPzdQfDNWsQ+8ur8xxSdanAZcZRr
                                ytaidLtIQx4DeGANdwmNjnAn8ZSg6q8etQ== )

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 07 07:49:10 EST 2016
;; MSG SIZE  rcvd: 892

As for "got insecure response; parent indicates it should be secure",
there are still systems out there that do not response to EDNS
queries or only respond to the first EDNS query.  To get answers
from these systems, especially after a lost packet, named has to
ask plain DNS questions and as plain DNS does not have EDNS there
is no DO=1 flag one does not DNSSEC records in the responses to
those queries.  When such answers go through the validator and the
zone is signed you will this message logged.

Old Microsoft Windows DNS servers exhibit this only answer the first
EDNS query issue.  You need to as a plain DNS query to get a response
after the first EDNS query.  When we do EDNS compliance testing we
can see these systems as they end up being formerr and timeouts
except for plain DNS.

bihasitka-nsn.gov. @64.37.122.49 (ns2.chicagowebs.com.): dns=ok
edns=formerr,nosoa edns1=formerr,badversion edns at 512=timeout
ednsopt=timeout edns1opt=timeout do=timeout ednsflags=timeout
optlist=timeout signed=timeout ednstcp=formerr

hamiltontn.gov. @12.204.222.241 (ns1.hamiltontn.gov.): dns=ok
edns=timeout edns1=timeout edns at 512=timeout ednsopt=formerr,echoed,nosoa
edns1opt=timeout do=timeout ednsflags=timeout optlist=timeout
signed=timeout ednstcp=timeout

If you have lots of these messages check that you firewall allows
through large (> 1500 byte) EDNS responses.  Packet loss and bad
local firewalls can make named think that it is talking to such a
system.  Excessive buffer bloat can also cause named to think it
is talking to such a system.  A big upload / download can make
visible the buffer bloat in the routers on you link.

Mark

In message <BL2PR01MB3393C454FDCE60904E2781CFFA40 at BL2PR01MB339.prod.exchangelabs.com>, Mahdi Adnan writes:
> Hello,
>
>
> We have several Bind recursive servers and all of them stop responding to
> queries at 10:00 PM daily for 4 minutes starting from November 1st with
> the following error in the logs;
>
>
> "SOA: got insecure response; parent indicates it should be secure"
>
> "DNSKEY: verify failed due to bad signature (keyid=56467): RRSIG has
> expired"
>
> "dlv.isc.org SOA: got insecure response; parent indicates it should be
> secure"
>
>
>
> servers running different versions of BIND (9.9 and 910) but all are up
> to date.
>
> anyone have any idea about this issue ?
>
>
> Thanks
> --
>
> Respectfully
> Mahdi A. Mahdi

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20161107/43816e44/attachment-0001.html>

More information about the bind-users mailing list